Story image

Locky ransomware's 'rebirth' puts everyone at risk once again

21 Aug 2017

The Locky ransomware is back and using social engineering in another round of email-based attacks on tens of thousands of users, according to a new report from Comodo’s Threat Intelligence Lab.

The company is calling the resurgence of Locky a ‘rebirth’, noting that the new ransomware campaign began on August 9 and is continuing to appear in inboxes.

The attack is housed in email with an attachment and either little or no content in the body. The attachment name varies, however the basic format is the same: “E 2017-08-09 (580)”. While the extension and filenames ‘(580)’ change frequently, the email always contains an unknown file.

According to researchers, the attachment downloads IKARUSdilapidated, which is the newest variant of Locky.

Because it is a new variant, most organisations’ security programs read it as an ‘unknown file’. For those who do not use a ‘default deny’ security posture, they could easily be infected by the ransomware, Comodo claims.

‘Default deny’ security postures work by denying all unknown files until they are verified as ‘good’ files.

When users click on the attachment, macros save and run a file that contains the Trojan. That Trojan then encrypts all files that match certain extensions.  Users are then asked to download anonymous browsing platform Tor, which is used to facilitate the ransom demand.

The ransom amount varies between 0.5-1 bitcoin, which is equal to NZD$2773-$5546.

While most targets have been in Indonesia, India, Vietnam, India and Mexico, the phishing campaign is targeting 11,625 across 133 different countries.

Most victims have been telecommunications firms and Internet Service Providers. Researchers suggest these industries have been targeted to set up a botnet with a complex command and control architecture.

Comodo Threat Intelligence Lab head Fatih Orhan says that the attack was an interesting case in terms of its sophistication and scale of attack through the botnet.

“When artificial intelligence couldn’t identify these unknown files, the full resources of the lab were needed to analyze and identify the code in the file and render a verdict; in this case the verdict was “bad” and we’ve now added it to our blacklist and malware signature list,” he says.

The Locky ransomware has been through many iterations since its 2016 discovery. It generally used the same tactic of an email with an attachment that runs the code and launches the ransomware.

According to Malwarebytes researchers, the Locky malware is difficult to predict.

“Over the last few months, Locky has drastically decreased its distribution, even failed to be distributed at all, then popped back up again, vanished and reappeared once more,” Malwarebytes researchers state in a blog.

The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it’s not active at a particular given time,” they conclude.

Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Online attackers abusing Kiwis' generosity in wake of Chch tragedy
It doesn’t take some people long to abuse people’s kindness and generosity in a time of mourning.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."